Script that adds domain grp to local Admn group when joining domai

[Guest]

Hello,

I have a Help Desk group solely for troublshooting PC's across the 2003
domain and that set up and configure PC's for the domain. On all PC's in the
domain, I ran a program that added the group 'PCAdmins' to every local Admin
group in the domain.
The problem I have now is how do I have a Help Desk tech join a PC to the
domain and have the PCAdmins group already added to the local Admin group.
Since the tech is just a Domain user and a member of the PCAdmins group, how
can the group get added for him to administrate just the PC?

 

[Guest]

Also to add to the original post, I know I can add a startup script to a GPO
and use the command

net localgroup Administrators /add "domain\group_name"

But that will not run until the computer object is moved into the container
that has the GPO configured. by default you cannot add a GPO to the default
Computer container and the Help Desk techs have not delegation to AD
whatsoever so they cannot move the computer object into the container that
has the GPO configured. Someone please help!!! Please!!!

Jimmy K

 

[Brandon McCombs]

Hello,

I have a Help Desk group solely for troublshooting PC's across the 2003
domain and that set up and configure PC's for the domain. On all PC's in the
domain, I ran a program that added the group 'PCAdmins' to every local Admin
group in the domain.
The problem I have now is how do I have a Help Desk tech join a PC to the

edit the domain policy (and maybe the domain controller policy as well)
Comp Configuration->Windows settings->Security Settings->user rights
assignment->Add workstations to a domain
edit that setting to include the PCAdmins group

domain and have the PCAdmins group already added to the local Admin group.
Since the tech is just a Domain user and a member of the PCAdmins group, how
can the group get added for him to administrate just the PC?

that would be "administer", not "administrate" and the tech stil needs an
administrator level password to join the PC to the domain.

 

[Brandon McCombs]

Also to add to the original post, I know I can add a startup script to a GPO
and use the command

net localgroup Administrators /add "domain\group_name"

But that will not run until the computer object is moved into the container
that has the GPO configured. by default you cannot add a GPO to the default
Computer container and the Help Desk techs have not delegation to AD
whatsoever so they cannot move the computer object into the container that
has the GPO configured. Someone please help!!! Please!!!

As in the last mesg I posted, edit the domain policy(admin templates section) to
have a startup script run your command. The domain policy would be the only one
that would work for you since you haven't moved the computers out of the Computers
folder yet.

 

[Guest]

Hi Brandon,

Thanks for your help, though the startup script in the domain policy did not
work. I tried it on the Default Domain policy and under the Domain
Controllers Policy container and still did not work. I do not believe that
the Computers container falls under any of those policy hierarchies. Any
other ideas?
Also, by default, Authenticated users can join any computer onto the network
and all you need is the password of any user that has the right to join any
comptuer to the network. Please do not assume that I took that group out
unless you had no clue that was the deault permission for joining a computer
to the network.
So far both your suggestions did not work. Any other ideas?

Jimmy K

 

[mark]

Actually, settings in the Default Domain policy will apply to the
Computers container. However I don't think you could get that script to
work from GPO without elevating the script's privileges first.

Stupid question perhaps, but are you setting up new servers from an
image? Many people don't realize you can add your "gold" image server
to the domain, add the appropriate domain groups to local groups or
acls, then remove the server from the domain and those sids will
remain. Sysprep and create your image, then new servers created from
that image will already have the necessary accounts applied as soon as
they're added to the domain.